Extract An Android APK And View Its Source Code

So you’ve just made an Android application. One that took you ages to complete and something that you feel proud of. What is going to stop someone from stealing your logic and source code? How easy is it to obtain? The short story is that your source code is not safe by default and it is very easy to obtain.

Both are designed differently, but the source code is just as easy to access. For each of these application types, you will see how to better protect your code using obfuscation practices.

NOTE: Do not use this tutorial to do malicious things. Developers work hard on their applications, so please do not take advantage of them. Use the information found here to better protect yourself from malicious users.

1. Extracting the source from a native Android application

The source code of a native Android application is not difficult to obtain, but it does require extra tools that are compatible with Windows, Mac, and Linux. My personal favorites when it comes to tools are dex2jar and JD-GUI.

If you’re unfamiliar with these tools, dex2jar will read Dalvik Executable files and convert them to the standard JAR format. JD-GUI will read JAR files and decompile the class files found in them.

To make the extraction process easier to understand, let’s start by creating a fresh native Android project:

The above command will leave you with an Android project in your current command prompt path.

Since our project has an Activity class already included, lets jump straight into the build process. You can give me a hard time all day long about using Ant instead of Gradle or Maven, but for this tutorial I’m going to stick with it.

ant debug

The above command will create a debug build typically found at bin/TestProject-debug.apk. If you want to know more on building native Android projects, you can check out my previous post on the topic.

Using your favorite unzip tool, extract the APK file. 7-zip is a popular tool, but if you’re on a Mac you can just run the following from the Terminal:

unzip TestProject-debug.apk

This will leave us with a bunch of files and folders, but one one is important to us. Make note of classes.dex because it contains all of our source code. To convert it into something readable we need to run dex2jar on it. You can use dex2jar on Mac, Linux, and Windows, but I’m going to explain from a Mac perspective.

With the classes.dex file in your extracted dex2jar directory, run the following from the Terminal:

./dex2jar.sh classes.dex

Open the JD-GUI application that you downloaded because it is now time to decode the JAR and packaged class files. Open the freshly created classes_dex2jar.jar file and you should see something like the following:

See how easy it was to get to the source code of your native Android APK? Now what can you do to better protect yourself?

The Android SDK ships with Proguard, which is a obfuscation module. What is obfuscation you ask?

During the project creation process you are left with the default Apache Cordova CSS, HTML, and JavaScript templates. That is fine for us in this example. Let’s go ahead and build our project into a distributed APK file:

cordova build android

You’re going to be left with platforms/android/ant-build/CordovaApp-debug.apk or something along the lines of platforms/android/ant-build/*-debug.apk.

Even though this is a debug build, it is still very usable. With 7-zip or similar installed, right click the APK file and choose to extract or unzip it. In the extracted directory, you should now have access to all your web based source files. I say web based because any Java files used by Apache Cordova will have been compiled into class files. However, CSS, HTML, and JavaScript files do not get touched.

You just saw how depressingly easy it is to get hybrid application source code. So what can you do to better protect yourself?

You can uglify your code, which is a form of obfuscation.

Doing this will not encrypt your code, but it will make it that much more difficult to make sense of.

If you want to uglify your code, I recommend you install UglifyJS since it is pretty much the standard as of now. If you prefer to use a task runner, Grunt and Gulp have modules for UglifyJS as well.

Conclusion

We just saw how strikingly easy it is to get native and hybrid Android source code. There is no way to encrypt your code or make it impossible to break into. If someone is willing enough, they’ll find what they want. You can however, obfuscate your code and make it more difficult for a malicious user to obtain your source code.

Moral of the story here is don’t store sensitive information in your application such as hard coded passwords.

Nic Raboy

Nic Raboy is an advocate of modern web and mobile development technologies. He has experience in Java, JavaScript, Golang and a variety of frameworks such as Angular, NativeScript, and Apache Cordova. Nic writes about his development experiences related to making web and mobile development easier to understand.